Improve FTP Security Using vsftpd with SSL/TLS
Plain FTP or non-encrypted FTP transfer is not secure as attackers can sneak in and retrieve the data (including the FTP username and password) you are sending as all the data is send as plain text. The best thing to do in this case is to secure the FTP transfer by encrypting the data with SSL/TLS.
In this tutorial we will go through how FTP server (server in which FTP server side software/application is installed) can be secured with SSL/TLS and there by making the file transfer secure. This is to help shared hosting servers are secured with SSL/TLS encryption.
vsftpd is very secure FTP daemon which is a very fast, reliable and secure FTP application/software.
Installing vsftpd
You can install vsftpd easily via yum as it is available in the default CentOS repository.
yum install vsftpd
Edit vsftpd configuration file to tighten security
Open the vsftpd configuration file (by default: /etc/vsftpd/vsftpd.conf) and add the following lines.
nano /etc/vsftpd/vsftpd.conf
Disable anonymous login
anonymous_enable=NO
Use linux system users and authentication for login
local_enable=YES
Enable write privilege to modify content
write_enable=YES
Limit the FTP user access to respective home directory.
chroot_local_user=YES
Setup SSL for vsftpd
Create a new directory for storing the SSL files (certificate and key).
mkdir /etc/ssl/private
We can create the SSL certificate and the key in a single file with openssl command.
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
This will prompt a few questions as shown in the screenshot. Just fill the questions and press ‘Enter’.
Modify vsftpd config to add SSL/TLS Information
Open vsftpd config file
nano /etc/vsftpd/vsftpd.conf
Add the following lines to mention the location of certificate and key file
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
To enable SSL on FTP login and data transfer add the following lines
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
To explicitly allow TLS and deny SSL add the following lines
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Add these recommended SSL settings as well
require_ssl_reuse=NO
ssl_ciphers=HIGH
Restart vsftpd service for the changes to take effect.
/etc/init.d/vsftpd restart
This will enable secure file transfers between the local machine and the FTP server.
We hope you have found this tutorial useful on how to install vsftpd with SSL/TLS on a CentOS server
Thanks for reading and leave your questions below to keep the conversation going.